Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!hao!ames!sdcsvax!ucbvax!hplabs!sdcrdcf!trwrb!desint!geoff
From: geoff@desint.UUCP (Geoff Kuenning)
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <1208@desint.UUCP>
Date: Wed, 9-Sep-87 22:54:55 EDT
Article-I.D.: desint.1208
Posted: Wed Sep  9 22:54:55 1987
Date-Received: Sat, 12-Sep-87 09:57:04 EDT
References: <313@pvab.UUCP> <193@sortac.UUCP>
Reply-To: geoff@desint.UUCP (Geoff Kuenning)
Organization: Interrupt Technology Corp., Manhattan Beach, CA
Lines: 19
Xref: mnetor comp.unix.questions:3993 comp.bugs.sys5:206

In article <193@sortac.UUCP> pls@sortac.UUCP (Pat Sullivan) writes:

> "/usr/spool/lp/request/[class]/d0-[sequence]", but these are normally
> readable only by user "lp" and group "bin".

Unfortunately, of course, the spooler itself is user "lp".  So you can do:

	% lpstat -t
	% (note sequence numbers of requests were spooled by user xxx)
	% lp -dfast-printer /usr/spool/lp/request/[class]/d0-[sequence]

and, with a little bit of luck and a long queue on the original printer,
you can get a listing of a file you shouldn't be able to read.

BTW, note that the orignal poster's problem can be solved (except for
the above) by simply specifying the "-c" switch to lp;  this even handles
banners.  Or you can specify the banner with the "-t" switch.  (RTFM!)
-- 
	Geoff Kuenning   geoff@ITcorp.com   {uunet,trwrb}!desint!geoff